Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Passport to a Void Promise

Analysis: Solving the wrong problem in the wrong way is a stupid tech trick.

A U.S. Government order for "several million" RFID chips puts Infineon Technologies on the pointy end of the international push for standardized electronic passports. Infineons Aug. 21 announcement has driven home the scale of this massive rollout, with 15 million logo-bearing U.S. e-passports expected to be issued in their first year of general use.

The potential benefits and risks of e-passports must be weighed against their certain cost—$97 each. Proponents claim greater speed and certainty of identification. A chip will store an encrypted digital photo, enabling comparison against the face of the bearer. Printed data will also be digitally encoded, signed to prevent alteration.

Drawbacks include possible ease of reading the digital information surreptitiously. The intended maximum reading distance is on the order of 4 inches, suggesting that the data could be accessed through clothing.

We commend the need to scan a printed code in the passport before its on-chip information can be used. We note, though, that multistage attacks combining a long-lensed camera and RFID (radio-frequency identification) reader are all too plausible.

Further reading

We also note that a passport may be false rather than forged. A genuine passport may be obtained using a fake birth certificate, for example. A passport with a failed e-chip remains a valid travel document, making claims of added security moot if a miscreant has the wit to disable the RFID device.

Designers of security systems must not assume that crackers will play by the rules. Its pointless to have the equivalent of a locked front door if an attacker can cut a hole in the roof.